{"id":22325,"date":"2023-05-17T08:24:56","date_gmt":"2023-05-17T06:24:56","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=22325"},"modified":"2023-05-17T11:53:47","modified_gmt":"2023-05-17T09:53:47","slug":"curl-8-1-0-http2-over-proxy","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2023\/05\/17\/curl-8-1-0-http2-over-proxy\/","title":{"rendered":"curl 8.1.0 &#8211; http2 over proxy"},"content":{"rendered":"\n<p>We are back with the first release since that crazy March day when we did <em>two<\/em> releases on the same day. First <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/03\/20\/curl-8-0-0-is-here\/\" data-type=\"post\" data-id=\"22030\">8.0.0 <\/a>shipped that bumped the major version for the first time in decades. Then <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/03\/20\/curl-8-0-1-because-i-jinxed-it\/\" data-type=\"post\" data-id=\"22142\">curl 8.0.1<\/a> followed just hours after, due to a serious mess-up in the factory lines.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release video presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.1.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/fLP141KZ7l4?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 217th release<br>3 changes<br>58 days (total: 9,189)<\/strong><br><strong>185 bug-fixes (total: 9,006)<\/strong><br><strong>322 commits (total: 30,367<br>0 new public libcurl function (total: 91)<br>0 new curl_easy_setopt() option (total: 302)<\/strong><br><strong>1 new curl command line option (total: 251)<\/strong><br><strong>64 contributors, 35 new (total: 2,875)<\/strong><br><strong>37 authors, 17 new (total: 1,142)<\/strong><br><strong>4 security fixes (total: 145)<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>We disclose four new curl security vulnerabilities today, three of them at severity <strong>Low<\/strong> and one of them at <strong>Medium<\/strong>. This also means that 3,840 USD was awarded as bug bounties in this release cycle.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">UAF in SSH sha256 fingerprint check<\/h3>\n\n\n\n<p>[<a href=\"https:\/\/curl.se\/docs\/CVE-2023-28319.html\">CVE-2023-28319<\/a>] libcurl offers a feature to verify an SSH server&#8217;s public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">siglongjmp race condition<\/h3>\n\n\n\n<p>[<a href=\"https:\/\/curl.se\/docs\/CVE-2023-28320.html\">CVE-2023-28320<\/a>] libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using <code>alarm()<\/code> and <code>siglongjmp()<\/code>.<\/p>\n\n\n\n<p>When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IDN wildcard match<\/h3>\n\n\n\n<p>[<a href=\"https:\/\/curl.se\/docs\/CVE-2023-28321.html\">CVE-2023-28321<\/a>] curl supports matching of wildcard patterns when listed as &#8220;Subject Alternative Name&#8221; in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">more POST-after-PUT confusion<\/h3>\n\n\n\n<p>[<a href=\"https:\/\/curl.se\/docs\/CVE-2023-28322.html\">CVE-2023-28322<\/a>] When doing HTTP(S) transfers, libcurl might erroneously use the read callback (<a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_READFUNCTION.html\">CURLOPT_READFUNCTION<\/a>) to ask for data to send, even when the <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_POSTFIELDS.html\">CURLOPT_POSTFIELDS<\/a> option has been set, if the same handle previously was used to issue a PUT request which used that callback.<\/p>\n\n\n\n<p>This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<p>This release has only three real changes. One bigger and two smaller:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">HTTP\/2 over proxy<\/h3>\n\n\n\n<p>libcurl can now negotiate and use HTTP\/2 when it is told to use a HTTPS proxy (details in the <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_PROXYTYPE.html\">CURLOPT_PROXYTYPE man page<\/a>), and the command line tool can of course switch it on using the <code><a href=\"https:\/\/curl.se\/docs\/manpage.html#--proxy-http2\">--proxy-http2<\/a><\/code> option. Explained more in <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/04\/14\/curl-speaks-http-2-with-proxy\/\" data-type=\"post\" data-id=\"22248\">this blog post<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">refuse to resolve the .onion TLD<\/h3>\n\n\n\n<p>When a host name ending with <code>.onion<\/code> is passed on to the name resolver functions, they will cause an error and will not be resolved. Like <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc7686.html\">RFC 7686<\/a> tells us.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">curl&#8217;s -w option can now output URL components<\/h3>\n\n\n\n<p>The list of variables was extended by a whole range of new ones. Possibly best learned by checking out <a href=\"https:\/\/everything.curl.dev\/usingcurl\/verbose\/writeout\">the writeout section in everything curl<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>The official counter says we did more than 180 bugfixes in his release cycle.  Here follows some of my favorites:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">checksrc fixes<\/h3>\n\n\n\n<p>We made it better at checking the code style for three distinct code situations &#8211; and then updated the source code accordingly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">cmake fixes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>bring in the network library on Haiku<\/li>\n\n\n\n<li>do not add zlib headers for OpenSSL<\/li>\n\n\n\n<li>make config version 8 compatible with 7<\/li>\n\n\n\n<li>set SONAME for SunOS too<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">only do transfer-encoding compression if asked to<\/h3>\n\n\n\n<p>Transfer encodings other than &#8220;chunked&#8221; are rarely used. Up until now libcurl would still activate automatic decompression if such was used, even if it was not asked for by the application. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">bring back support for SFTP path ending in \/~<\/h3>\n\n\n\n<p>A regression made a URL that ends with <code>\/~<\/code> no longer make a directory listing because the URL does not end with a slash. Now we bring back that behavior, even if it goes a little against the standard behavior.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">never allocate dynbufs larger than &#8220;too big&#8221;<\/h3>\n\n\n\n<p>The general dynamic buffer system no longer allocates more memory than what the specific buffer is allowed to grow to. An optimization.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">various gskit compile errors in OS400<\/h3>\n\n\n\n<p>Makes curl build fine there again.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">enforce a maximum DNS cache size independent of timeout value<\/h3>\n\n\n\n<p>The DNS cache entries are purged on age only (default 60 seconds). With this new code, libcurl limits caps the maximum total amount of DNS cache entries to 30,000.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">libssh2: fix crash in keyboard callback<\/h3>\n\n\n\n<p>Better SCP and SFTP when built with libssh2.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">libssh: tell it to use SFTP non-blocking<\/h3>\n\n\n\n<p>Better SCP and SFTP when built with libssh.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">add multi-ignore logic to multi_socket_action<\/h3>\n\n\n\n<p>The improved signal ignore logic for <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_multi_perform.html\">curl_multi_perform<\/a> in 8.0.0 is now also done for <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_multi_socket_action.html\">curl_multi_socket_action<\/a>. For better performance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">remove PENDING + MSGSENT handles from the main linked list<\/h3>\n\n\n\n<p>Not yet activated transfers and the transfers that are already completed, are now moved away off the main linked list. For performance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">runtests: prepare for parallel<\/h3>\n\n\n\n<p>Lots of cleanups and smaller fixes have been merged during this cycle in preparation for the pending introduction of parallel tests.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">verify socketpair with a random value<\/h3>\n\n\n\n<p>The custom socketpair implementation used for platforms without a native one, was changed to use truly random values when verifying that the pipe works.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Fix &#8216;Location:&#8217; formatting for early VTE terminals<\/h3>\n\n\n\n<p>The special terminal highlighting of the URL that is shown in the <code>Location:<\/code> header is now disabled for some terminals that can&#8217;t display it properly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">urlapi polish<\/h3>\n\n\n\n<p>Several different bugs and improvements were made. Including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>cleanups and performance improvements<\/li>\n\n\n\n<li>detect and error on illegal IPv4 addresses<\/li>\n\n\n\n<li>prevent setting invalid schemes<\/li>\n\n\n\n<li>URL encoding for the URL missed the fragment<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">enhanced WebSocket en-\/decoding<\/h3>\n\n\n\n<p>Parts of the websocket parser code was rewritten to fix bugs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are back with the first release since that crazy March day when we did two releases on the same day. First 8.0.0 shipped that bumped the major version for the first time in decades. Then curl 8.0.1 followed just hours after, due to a serious mess-up in the factory lines. Release video presentation Numbers &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/05\/17\/curl-8-1-0-http2-over-proxy\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.1.0 &#8211; http2 over proxy<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":22391,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-22325","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=22325"}],"version-history":[{"count":32,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22325\/revisions"}],"predecessor-version":[{"id":22432,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22325\/revisions\/22432"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/22391"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=22325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=22325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=22325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}